Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

WEBINAR:On-Demand

The latest data breach victim is the U.S. Internal Revenue Service, which disclosed May 26 that information on 100,000 American taxpayers is at risk.

The IRS reported that the breach came by way of its Get Transcript application, which is currently unavailable. The Get Transcript service enables taxpayers to obtain a statement of their tax account transactions, including line-by-line tax return information as well as income reported to the IRS for a given tax year.

According to the IRS, hackers were able to make use of data from non-IRS sources to gain access to the Get Transcript application.

"In this sophisticated effort, third parties succeeded in clearing a multi-step authentication process that required prior personal knowledge about the taxpayer, including Social Security information, date of birth, tax filing status and street address before accessing IRS systems," the IRS stated. "The multi-layer process also requires an additional step, where applicants must correctly answer several personal identity verification questions that typically are only known by the taxpayer."

Further reading

While the IRS is admitting that 100,000 taxpayer accounts were breached, the damage could have been worse. The IRS investigation of the incident found that attackers made 200,000 attempts to access accounts. The attack against the Get Transcript application is now thought to have started in February and was operational until mid-May, according to the IRS. According to the IRS, its other systems were not breached.

Security experts eWEEK spoke with were not surprised about the disclosure but said it raises questions about the tax agency's response to the incident.

While the IRS disclosure wasn't surprising, said Andre Ludwig, senior technical director of Novetta, the amount of time it took to inform the public about this particular invasion is surprising and worrisome. "It appears the IRS was aware of the problem for a prolonged amount of time, and decision timelines involved post-detection were alarming in bringing down the responsible system," Ludwig told eWEEK. "Response may have been delayed due to IRS staff's inability to mitigate risk directly without leadership and external support."

Delayed decision cycles should be measured in days to weeks—not months—in an organization where security leadership has the authority to directly mitigate risk for the organization, Ludwig said.

Rob Ragan, senior security associate at Bishop Fox agreed with the notion that the IRS response time is not as quick as it should be. The IRS and organizations that handle large sums of money should constantly re-evaluate and improve their incident-response and fraud-detection capabilities, he said.

"The fact that it went unnoticed for so long has revealed shortcomings in their fraud-detection capabilities, and their inability to close the gaps right away is indicative of an insufficient incident-response plan," Ragan said.

Ludwig said security organizations should be treated as first-class citizens alongside their business or policy brethren. Security organizations should be empowered to directly mitigate risk for organizations to protect them and their customers and help shrink the cycle of detection, analysis, communication and action, Ludwig said.

"One cannot simply rely on technical savvy; we need to enable security leadership to execute against identified risks to an organization," he said.

Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter@TechJournalist.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.